Lack of security exposes computer systems to accidental mischief or intentional harm. Accidental mischief may innocently come from a child who somehow gains access to his parents' personal computer to cause physical loss of data, among other examples. Intentional harm is typically instigated by a “cracker,” which is a dysphemism for a person who uses computer expertise for illicit ends, such as by gaining access to computer systems without permission and tampering with programs and data. It is easy to eliminate most computer security problems—just unplug computer systems from all external communications. But this is no longer the way of doing business (if it has ever been) for many companies, especially with the quickening pace of pushing commerce to the Internet. Thus, a major focus of computer security, especially on systems that are accessed by many people through communication lines, is the prevention of system access by unauthorized individuals.
A simple security model includes three elements: a user (who must be recognized by a computer system as an authorized user of the computer system); a piece of content that is desired by the user to view or alter, among other things, and a permission to access the piece of content by the user. This model is simple in theory but complicated for a system administrator to put into practice. Consider a situation in which a million users all want access to the piece of content. The model described above would force a system administrator to create and store a million different permissions, each corresponding with the million users, to limit access to the piece of content. Thus, more computing resources must be used—not to store content, but to process and store permissions. Not only is this economically unfeasible but the “permission explosion” itself may cripple the computer system without any undertaking by crackers.
To avoid administrative problems associated with permission explosion, an industry standard security model called role-based access control (RBAC) was developed. In role-based access control, a system administrator programmatically assigns roles to different types of users within an organization, such as a hospital's various staffs, and permissions to secured pieces of content are granted to those assigned roles. Because there are fewer roles than there are users (multiple users may have the same role, such as a nurse role), permission explosion is avoided. A user receives permission through the role he is assigned. A user can have multiple roles, hence indirectly gaining multiple permissions to access content in a computer system. A role can inherit the characteristics of other roles so that a user with an inheriting role also gets all the permissions granted to the inherited role. Although the role-based access control model eliminates administrative problems associated with permission explosion, it creates new administrative problems, namely those associated with “role explosion.”
Consider the following explicit role inheritances: the Irish are Europeans (an Irish role inherits from a European role), and ophthalmologists are surgeons (an ophthalmologist role inherits from a surgeon role) who are doctors (a surgeon role inherits from a doctor role). If the system administrator needs to add just one complex role: “Dr. Murphy is an Irish ophthalmologist,” this would require the system administrator to create from such a complex role many implied roles: Irish, European, ophthalmologist, surgeon, doctor, Irish ophthalmologist, Irish surgeon, Irish doctor, European ophthalmologist, European surgeon, and European doctor.
Only 11 implied roles are created from the example above, but there are situations that require the system administrator to create and painfully maintain thousands of roles so as to allow users to access pieces of content that are available only for an esoteric role. In practice, the system administrator compromises the security requirements of a company to prevent prohibitive administration costs and errors in the maintenance of roles. Another problem comes whenever a new piece of content is added to the computer system with its unique security requirements. The system administrator not only has to create a new role to represent the unique security requirements of the new piece of content, but he also needs to create a relationship between the new piece of content and the new role as well as create multiple relationships (possibly thousands) with existing roles. In practice, the system administrator avoids unearthing existing roles to understand how the new role fits the existing roles, and instead, likely add the new role in an ad hoc manner without considering the wider security implications of accommodating the new piece of content which allows him to move on with his business.
A system 100 in FIG. 1 illustrates the above-described problem as well as other problems in greater detail. The system 100 is a portion of a management information system at an organization, such as a hospital 120. The system 100, whose security depends on a role-based access model, is designed for processing and organizing information so as to provide various levels of management of the hospital 120, with accurate and timely information needed for supervising activities, tracking progress, making decisions, and isolating and solving problems.
The system 100 includes a user 102, who is Dr. Murphy, the surgeon; a user 104, who is a nurse; and a user 106, who is a CT scan technician. Users 102-106 are all employees of the hospital 120. Employees can gain entry to the hospital 120 via electronic card access (not shown). Using the role-based access control model, users 102-106 can inherit the role of employee (role 108). Role 108 has privileges, which include hospital entrance permission (permission 114). Because users 102-106 have the role of employee (role 108), users 102-106 can gain entry to the hospital 120 by waving their electronic cards near an electronic detector so as to allow the system 100 to verify their roles, hence granting them permission to enter.
Suppose that the hospital 120 procures eye laser equipment 122. Only authorized users, which is associated with permission 116, with the appropriate training may access and use the eye laser equipment 122 (which has a computer system to which a user must log on to operate the eye laser equipment 122). One such user is the user 102 (Dr. Murphy, the surgeon). However, the role-based access model prohibits permitting of a specific user to have access to a specific piece of content (so as to avoid permission explosion). Instead of trying to understand existing roles in the system 100, a system administrator of the hospital 120 fabricates a new role of “Dr. Murphy, the surgeon” (role 110) so as to allow only the user 102 (Dr. Murphy, the surgeon) to use the eye laser equipment. The problem, however, is that role 110 is not a role at all. If there were a thousand doctors, each doctor would require his own role, thereby creating permission explosion again.
Now suppose the hospital 120 were to procure new CT scan equipment 124. The CT scan equipment 124 has a computer to which a user must log on in order to operate the CT scan equipment 124. Only authorized users of the hospital 120 are allowed to access and use the CT scan equipment 124. Instead of trying to understand the existing roles at the hospital 120, the system administrator creates the role of a CT scan machine (role 112), which is associated with permission 118, allowing access to user 104, the nurse, and 106, the CT scan technician. The fabricated role of the CT scan machine (role 112), however, makes no sense at all within the role-based access control model because it does not identify a group of users within an organization, but instead, identifies a machine for the convenience of the system administrator. This non-representative role 102 attenuates the security strength of the system 100 over time because system administrators have increasingly difficult time understanding various role relationships which causes difficulty in managing authorized users and eliminating unauthorized access.
The problems described above are made more severe with the desire of many companies to expose corporate content to business partners and customers over the Internet. For example, the hospital 120 may allow a patient to view his hospital bills on-line from his home. Given the problems encountered maintaining content security within an organization with a relative few number of users, it will come as no surprise that exposing corporate computing assets to the world causes role explosion to an exponential degree, consuming time, introducing error, and sapping performance while rendering information to users both internally and externally. Without a resolution to the problem of role explosion, users may eventually no longer trust the system 100 to provide a secured computing experience that can allow quick access to content by authorized users while preventing access to content by unauthorized individuals. Thus, there is a need for a system, method, and computer-readable medium for securing information while avoiding or reducing the above problems associated with existing systems.